用于将证书安装到Active Directory存储库的Powershell脚本
[英]Powershell Script to Install Certificate Into Active Directory Store
问题描述
I'm trying to write a powershell script to install a certificate into the active directory certificate store, 
我正在尝试编写一个powershell脚本来将证书安装到活动目录证书库中,
Here are the steps to do this manually, any help would be greatly appreciated. 以下是手动执行此操作的步骤,将非常感谢任何帮助。
On a Windows 2008R2 domain controller, 在Windows 2008R2域控制器上,
Click Start -> Run 单击开始 - >运行
type MMC 键入MMC
click ok 点击确定
Click File -> Add/Remove Snap-In 单击文件 - >添加/删除管理单元
Select "Certificates" -> Add 选择“证书” - >添加
Select "Service Account" 选择“服务帐户”
Click Next 点击下一步
Select "Local Computer" 选择“本地计算机”
Click Next 点击下一步
Select "Active Directory Domain Services" 选择“Active Directory域服务”
Click Finish 单击完成
Click Ok 单击确定
I want the script to install the certificate into : 我希望脚本将证书安装到:
NTDS\\Personal NTDS \\个人
I would post an image but I don't have enough "reputation" apparently, so I can only provide text instructions. 我会张贴一张图片但显然没有足够的“声誉”,所以我只能提供文字说明。
So basically what I've tried is, I've used this powershell function below to import a certificate into the Local Machine -> Personal Store, which is where most certificates go, and the code works. 所以基本上我尝试过的是,我已经使用下面的powershell函数将证书导入本地计算机 - >个人存储,这是大多数证书所在的位置,并且代码可以运行。
But I need to install the certificate into the "NTDS\\Personal" store on a domain controller, but the $certRootStore only accepts localmachine or CurrentUser, so I'm stuck : / 但我需要将证书安装到域控制器上的“NTDS \\ Personal”存储中,但$ certRootStore只接受localmachine或CurrentUser,所以我卡住了:/
function Import-PfxCertificate
{
param
(
[String]$certPath,
[String]$certRootStore = "localmachine",
[String]$certStore = "My",
$pfxPass = $null
)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null)
{
$pfxPass = read-host "Password" -assecurestring
}
$pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}
Import-PfxCertificate -certPath "d:\Certificate.pfx"
Regards Alex 关心亚历克斯
3 个解决方案
解决方案1
1 2014-02-21 13:55:51
Alright, first the bad news. 好吧,首先是坏消息。 The only managed certificate stores are LocalMachine and CurrentUser , as we have all seen in powershell. 唯一的托管证书存储是LocalMachine和CurrentUser ,正如我们在powershell中看到的那样。
Now, the not so bad news. 现在,这不是坏消息。 We know that the 'physical' location store (physical is MS' word, not mine) exists in the registry on the ADDS server, HKLM\\Software\\Microsoft\\Cryptography\\Services\\NTDS\\SystemCertificates. 我们知道 ADDS服务器上的注册表中存在“物理”位置存储(物理是MS'字,而不是我的),HKLM \\ Software \\ Microsoft \\ Cryptography \\ Services \\ NTDS \\ SystemCertificates。 This was dually verified by both 这两个都经过双重验证
Using procmon while importing a certificate into the store using the mmc snap-in
使用mmc管理单元将证书导入存储区时使用procmon Scavenging msdn for this nugget
清除这个金块的 msdn
The link in #2 shows that all physical stores for services are stored in the path mentioned above, substituting NTDS for . #2中的链接显示服务的所有实体存储都存储在上述路径中,用NTDS代替。 The real service name, not the display name. 真实的服务名称,而不是显示名称。
However, 然而,
Because of the bad news. 因为坏消息。 Trying to map it in powershell with that reg key as the root and -PSProvider Certificate will prove disappointing, it was the first thing I tried. 试图用powershell映射它作为根目录和-PSProvider Certificate将证明令人失望,这是我尝试的第一件事。
What one can try , is using the X509Store constructor that takes an IntPtr to a SystemStore, as described here . 可以尝试的是使用将IntPtr带到SystemStore的X509Store构造函数, 如此处所述 。 Yes, that invovles some unmanaged code, and mixing the two is something I do rarely, but this and googling for HCERTSTORE C# should get you there. 是的,这会调用一些非托管代码,混合这两个是我很少做的事情,但这个和谷歌搜索HCERTSTORE C#应该会让你到那里。
解决方案2
0 2019-02-01 00:04:13
Using a combination of what you already had above and the registry keys for the two certificate stores this works. 使用上面已有的内容和两个证书库的注册表项的组合可以正常工作。
The only other thing is that I don't know how NTDS determines which certificate to use when there are multiple in the certificate store. 唯一的另一件事是我不知道NTDS如何确定证书存储中有多个证书时使用哪个证书。
function Import-NTDSCertificate {
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[string]$PFXFile,
[Parameter(Mandatory)]
[string]$PFXPassword,
#Remove certificate from LocalMachine\Personal certificate store
[switch]$Cleanup
)
begin{
Write-Verbose -Message "Importing PFX file."
$PFXObject = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$PFXObject.Import($PFXFile,$PFXPassword,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$thumbprint = $PFXObject.Thumbprint
}
process{
Write-Verbose -Message "Importing certificate into LocalMachine\Personal"
$certificateStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store('My','LocalMachine')
$certificateStore.Open('MaxAllowed')
$certificateStore.Add($PFXObject)
$certificateStore.Close()
Write-Verbose -Message "Copying certificate from LocalMachine\Personal to NTDS\Personal"
$copyParameters = @{
'Path' = "HKLM:\Software\Microsoft\SystemCertificates\MY\Certificates\$thumbprint"
'Destination' = "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\$thumbprint"
'Recurse' = $true
}
Copy-Item @copyParameters
}
end{
if ($Cleanup){
Write-Verbose -Message "Removing certificate from LocalMachine\Personal"
$removalParameters = @{
'Path' = "HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\$thumbprint"
'Recurse' = $true
}
Remove-Item @removalParameters
}
}
}
解决方案3
0 2019-04-26 20:28:53
虽然这篇文章已有数年之久,但它仍然有用并且在搜索中出现,所以为了解决“我不知道NTDS如何确定证书存储中有多个证书时使用哪个证书”的问题,答案是当安装了两个或多个符合请求标准的有效证书时,您将得到不可靠的结果,因此建议删除旧的/不需要的证书,并保留最新的/最佳的证书服务器身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.